ANDRZEJ DUPA Virus – Remove and Restore .CRAB Extension Files

ANDRZEJ DUPA Virus – Remove and Restore .CRAB Extension Files

ANDRZEJ DUPA virus is a ransomware that impersonates GandCrab by applying the .CRAB extensionto the affected files. The security analysis reveals that it merely imitates it and is likely that it will change over time. Read our in-depth removal guide for more information about it.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts sensitive information on your computer system with the .CRAB extensions and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with a strong encryption algorithm.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by ANDRZEJ DUPA


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss ANDRZEJ DUPA.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

ANDRZEJ DUPA Virus – Distribution Ways

The ANDRZEJ DUPA virus is a typical malware that is being delivered to target users via the popular means. A typical example is the use of spam email messages that utilize social engineering tactics in order to coerce the users into interacting with the dangerous elements. The virus files may be either hyperlinked or attached directly to the messages. They are are also among the main carriers of virus payloads. Two of the most popular examples are the following:

  • Infected Documents — The hackers behind the ANDRZEJ DUPA virus may embed its code into documents of all types: rich text documents, spreadsheets and presentations. When they are opened a message will appear asking them to enable the built-in scripts. If this is done then the threat will be downloaded from a remote location and executed on the local machine.
  • Software Installers — The hackers primarily target popular software such as system utilities, creativity suites and even computer games.

Infections with the malware can also be caused through the use of web scripts. This encompasses all manners of banners, pop-ups and redirects. The infections can also affect legitimate sites via affiliate and ad networks.

Another method that is employed by computer hackers is the integration of the ANDRZEJ DUPA virus in browser hijackers. They are malicious browser plugins that are made for the most popular web browsers (Mozilla Firefox, Google Chrome, Safari, Opera, Internet Explorer and Microsoft Edge). Typically they are distributed on the relevant plugin repositories and coerce the users into installing them. Usually the hackers utilize fake credentials, user reviews and elaborate descriptions.

ANDRZEJ DUPA Virus – In-Depth Analysis

The ANDRZEJ DUPA virus is a newly discovered ransomare that is being pushed to users in several attacks. The campaigns themselves are relatively short and frequent which gives us two likely scenarios that govern its operations. The first one is the proposition that the code powering it has been shared on the underground hacker forums and used by different groups. The other hypothesis about the origins of the ANDRZEJ DUPA virus is that its being run by an individual or criminal collective that is rapidly developing the strains.

As it is rapidly expanding different updates to its source code can be made. This means that the different samples may also execute different behavior patterns.

The infections may begin with a data harvesting component that can gather sensitive information about the infected machine and the victim users themselves. The harvested data is categorized into two main types:

  • Personal Data — The component is used to reveal sensitive information about the users, specifically their name, address, location, interests, passwords and account credentials.
  • Anonymous Metrics — They are used to optimize the campaigns and are composed of strings taken from the operating system and information about the installed hardware components.

The obtained data can be then fed to a stealth protection component. It’s purpose is to scan the running applications for services that can interfere with its execution: anti-virus software, sandbox and debug environments or virtual machine hosts. The malware engine is programmed to bypass their real-time engines or altogether delete the applications. In certain cases the viruses can delete themselves in order to avoid detection.

Follow-up changes can include Windows Registry of different kinds. Usually the engines manipulate already existing strings belonging to user-installed applications and the Windows operating system. As a consequence some functions may stop working and the victims can experience significant performance issues.

Future versions of the ANDRZEJ DUPA virus can also manipulate the boot options which can disallow access to the boot recovery menu. An additional effect can be the institution of a persistent installation that can make the virus execute every time the computer is started.

Advanced Trojan-like behavior is expected to be integrated in future versions. A common way is to launch a specific network component that can connect to a hacker-controlled server. It can be used to spy on the victims in real time and overtake control of the affected machines.

ANDRZEJ DUPA Virus – Encryption Process

The associated ransomware component is launched once all prior processes have completed. It uses a powerful cipher in order to encrypt sensitive user data according to a built-in list of target file types. An example list may include any of the following:

  • Backups
  • Databases
  • Archives
  • Documents
  • Images
  • Videos
  • Music

An interesting fact is that it renames the affected data with the same .CRAB extension as the GandCrab ransomware family. In fact the code analysis reveals that it’s no way related to the malware family. The detected samples are using a lockscreen instance in order to scare the users and attempt to manipulate them into paying a ransom decryption fee. The lockscreen is created as an application frame with the ANDRZEJ DUPA title and reads the following message:

HELLO MY FRIEND!!!! I’am very sorry, but all your personal files have been encryptd :(

Shutdown will be erased

What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photo, video, databases and other files are no longer
aaccessible because he have been encrypted. Maybe you are busy looking for a way to
recover your files but do not wasteyour time. Nobody can recover your files without
our decryption service.
Can I Recover My File?
Sure, We guarantee that you can recover all your files safely and easily. But you
have not so enough time.
You can decrypt some of your files for free.
The bitcoin address will be saved to the “ZaszyfrowanePliki.tct” file or Copy the software address
Contact Us:

Bear in mind that the email address translated to “Encrypted files” from Polish. This likely means that the criminals originate from Poland.

Remove ANDRZEJ DUPA Virus and Restore .ANDRZEJ DUPA Files

If your computer system got infected with the ANDRZEJ DUPA ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share